User #336 (trafficrollers) received 0.75 Credits for showing you this page

Victim sites

I didn't do this last year, but I keep seeing the same sites over and over this year, so I figured out I'd let you know about another issue with hacking: "Victim sites".

A "victim site" is a site that gets hacked, and codes get put on it. Then you are led to the site (usually by spam email links). If you get infected, you blame the site owner, who often times doesn't know what's going on.

Here is a list of redirects I got this week (October, 2011). I checked several, and they appear to be mostly legitimate sites that have been defaced (injection script on home page) and an extra folder with a whacky name, where the really nasty stuff is housed (both phishing stuff and drive-by stuff). Some of these sites have been listed as "reported attack sites" by Google and Firefox, but not all. Some sites are being taken down by hosts, which is a shame, when in many cases, the owner of the site had no clue.

I'll put the list of what I found, and add to it next week when I go through the spam folder again. After the list, I'll put a few "tell-tale signs" for a risky URL.

Example email:Subj: ACH Payment 0901816 Canceled

Payment Notification #68745890

The ACH transaction (ID:68745890 ), recently initiated from your checking account (by you or any other person), was canceled by the other financial institution

(the link is displayed as): http://nacha.org/report/48969656/detailis.php?n=2145

(but it actually goes to a 'victim site'):Victim sites: (do NOT go to these pages unless you have massive anti-everything on your pc):

lilydesigns.org/svxx873/index.html

csoftintl.com/~leo/7alhpg/index.html

jaimegarralda.com/pho4pel/index.html

justupit.com/hw1z9v5/index.html

kartajouer.com/nzukryo/index.html

203.146.170.92/~jeewonbi/xwniz9e/index.html

kevalicare.com/z2byfr4/index.html

cedarlakepark.org/inoya0m/index.html

kpmandassociates.com/jpz1m9s/index.html

home.vicnet.net.au/~lasc/aiaeil/index.html

ladoduarte.com/gu2nh4/index.html

livekommunikation.net/me6ysi/index.html

laminateflooring2get.com/5zhveu/index.html

members.iinet.net.au/~maccadelic_new/kip5oq/index.html

jonmqueen.org/i2g5v0/index.html

laminateflooring2get.com/5zhveu/index.html

madhusundergroup.com/ntq4rwn/index.html

68.168.100.135/~jinterio/rzlkv18/index.html

laboutikjewelry.com/0vnsa3/index.html

justpest.co.uk/9x8r4qf/index.html

kenyard.co.uk/oo6h3h/index.html

kartajouer.com/1iucz2n/index.html

justpest.co.uk/9x8r4qf/index.html

justpest.co.uk/q0mbf4v/index.html

cutecountrycreations.com/ni4ag3c/index.html

laboutikjewelry.com/0vnsa3/index.html

meureal.com/7ejd6a/index.html

-------------- 24 hours after I wrote this page, I ended up with another batch of them ------------------------

coptichistory.org/gpudls/index.html

jepretstore.com/tfum27/index.html

cp05.digitalpacificcom.au/~austraqc/2p2um8/index.html

kennelvombello.com/nl4iic/index.html

www.kpmandassociates.com/fxrxp0/index.html

cutecountrycreations.com/bqqvkx/index.html

laminateflooring2get.com/skmy7n/index.html

ash.phpwebhosting.com/~maisel/5kmq1d/index.html

legaljunction.in/ayqpqu/index.html

afghanstudents.in/jp0ec8u/index.html

bunduexpo.co.za/qyg10p/index.html

3dc.in/xwplug5/index.html

jepretstore.com/kzft2u/index.html

ricardtech.com/r01eks1/index.html

magnisiakos-volou.gr/jfdu87p/index.html

members.iinet.net.au/~maccadelic_new/oj2rfn/index.html

me-me.info/0i6i8w/index.html

lemaripakaian.com/0ql73x/index.html

jenniferautry.com/fp3pau/index.html

madhusundergroup.com/06elcu/index.html

203.146.170.92/~maikamum/92du8go/index.html

203.146.170.92/~kapimovi/zk73xh8/index.html

203.146.170.92/~jeewonbi/9k0on3t/index.html

jaba.net.pl/gaiuf4/index.html

looksymail.com/ovlnou7/index.html

kpmandassociates.com/gchne2/index.html

corporatestudies.org/o0udgv/index.html

laboutikjewelry.com/uz23zr5/index.html

360companymarketingcom/wxojph/index.html

bunduexpo.co.za/qyg10p/index.html

maistel.com.br/sb1n51k/index.html

jenniferautry.com/fp3pau/index.html

csoftintl.com/~leo/6ihivzp/index.html

kacreativeconsulting.com/ph48ewk/index.html

latestautomotivenews.com/4q36c5/index.html

members.iinet.net.au/~maccadelic_new/oj2rfn/index.html

mastermindscs.com/jxatlh/index.html

-------------- another 24 hours later, it seems to be slowing ------------------------

tierpsychologie-haltungsberatung.de/bfjyetc/index.html

cx15.justhost.com/~thereiv1/478opuw/index.html

thelifecenter.us/qwtkr57/index.html

corporatestudies.org/3ruy6l/index.html

3dc.in/ni7li5/indexhtml

server1.icswebhost.net/~tgscott/ig4y152/index.html

tassenshop.nl/xl06d7/index.html

coptichistory.org/h33hvzx/index.html

tnttoast.99k.org/pcnmme/index.html

sysdev.clanteam.com/eisbcfc/index.html

-------------- one last batch, from a few days' of phishing ---------------------------

crane.co.th/jl3o7ju/index.html

computer-shuttle-service.de/0klmga/index.html

tmquadrat.de/xa2lgl/index.html

computer-shuttle-service.de/g41h1v/index.html

adroitly.info/main.php

lzenegtnly.squirly.info/main.php

terremobili.com/fiksmv/index.html

jepretstore.com/ubvvsh8/index.html

computersteward.com/b7n514c/index.html

terreetconscience.com/i3xqkd/index.html

203.146.170.92/~jeewonbi/1ryzic/index.html

203.146.170.92/~maikamum/t7xuiop/index.html

2.8a.5446.static.theplanet.com/~traveladmin/keq7nl/index.html

thevox.altervista.org/0eucq6/index.html

madhusundergroup.com/y5p41rp/index.html

server.mcdarghconsulting.com/~mcdarghc/mf452mi/index.html

cruisereizen.eu/qij6jt/index.html

server.mcdarghconsulting.com/~mcdarghc/mf452mi/index.html

cutecountrycreations.com/satudd6/index.html

cutecountrycreations.com/apba3d/index.html

pass66.dizinc.com/~theparak/3q1spv/index.html

cx15.justhost.com/~thereiv1/478opuw/index.html

ip-208-109-125-158.ip.secureserver.net/~theconfe/dik7n2/index.html

maincorpmaintenancecom.au/diwarr/index.html

roundsites.com/oy5tz8/index.html

instantinternetlifestyle.com/3pt49z/index.html

lamontagnesouscadre.com/ebxbxt/index.html

toilettassen.nl/fp7tzs/index.html

mantratrance.com/gt4swft/index.html

Hints about suspicious site links:

Any site that does not have a domain name (so it's http://#.#.#.#) should NOT be advertised

Sites that have a tilde (~) after the first slash (/)... (i.e.: home.somesite.com/~someshortname)

This is a common trick to use a different/untracked folder on a server

Sites with directories with nonsense names. A directory of "programs", or "cgi-bin" might be okay, but "0vnsa3"? The only reason for directories like that is to get site owners to think it's something "for the server", so they ignore the folder, if they ever see it at all.

So, I'll add to this list as time permits. If you know someone that owns one of these domains, let them know their sites are being hacked, and links to the hacked area is being spammed. I got about 75 notes using these sites in the last 24 hours or so.

For the most part, site-scanner can find, and cleanup can remove most of this stuff.